The growing use of biometrics continues to be a major trend across the consumer market. It has redefined the authentication user experience by combining simplicity and efficiency without requiring a PIN or password. But deploying these solutions always raises questions about the impact they have on transactions and, more generally, services.

Until recently, authentication—the way access to a service is controlled—has always been managed by the service provider, whether a bank or an e-commerce platform, and has traditionally been based on an ID and password. The switch to biometric authentication, overwhelmingly supported by users who appreciate its speed and ease of use, is a real game-changer that should not be taken lightly. As an Alliance dedicated to strong authentication, we need to explore this new paradigm and its effects, considering not only the industry and economic outcomes but also the ramifications for data protection.

Make no mistake, this change is not just a question of simple technological evolution: it delegates control over authentication to a third party.

From an industry standpoint, the spread of solutions integrating biometrics comes with the emergence of platforms offering access to services. The use of biometrics in mobile phones, tablets and TVs results in the development of solutions whose characteristics are exclusively known to and managed by the integrators. Implementation, upgrading and evaluation of these new authentication methods are therefore entrusted to new players outside the traditional transaction chain (e.g. regulators, card schemes, banks, retailers).

These new players are in a race to roll out a solution that will become the industry standard. They are vying for position as the leading innovator in the field and to establish the largest user base so they can shape the market with their vision, user experience, equipment and business model. Companies with global reach and a comprehensive approach have the upper hand over local actors, which operate within a necessarily smaller scope and possibly under restrictive local regulations, and which may not have the same large-scale production capacity.

In terms of transaction authentication and security standards, commodifying biometric solutions marks a real shift in thinking, especially for European countries that have established and implemented robust security standards that rely on evaluation and certification schemes. It is disrupting our way of seeing things, as widespread use of biometrics is considered progress over existing practices in countries still dominated by the magnetic strip, but just raises more questions in countries that have adopted chip cards.

This baseline position could plausibly explain our current perception of biometrics. Yet the major question of how to implement biometrics in consumer devices such as mobile phones remains unanswered.

In fact, many questions around implementation, openness and evaluation have not been sufficiently addressed. A prime example of the consequences can be seen in the recent revelation that the Android OS contains malware capable of potentially stealing fingerprint data from devices, such as Samsung Galaxy S5’s fingerprint reader, before they reach a secure processor.[1] The market is clearly waiting for certain key details to be fleshed out before biometrics can really take off.

There is also still work to be done on evaluating the different implementations for authenticating access to value-added services. A number of initiatives have taken form to provide visibility on the performance and security required in biometric technologies, including the BEAT project sponsored by the EU and projects under way at the Biometrics Alliance Initiative [2].

The spread of biometric solutions also signals a change in business model, as new actors become a necessary link in the transaction and value chains.

New actors have made their way into the value chain, looking for ways to enhance the value of data that passes through their platforms while monetizing the authentication operations that rely on their technologies.

This meeting will focus on questions around implementing, testing and evaluating biometric technologies, and serve as the basis for a new white paper.

Specifically, we will address security in implementations, looking at how to ensure that implementations provide the requisite security and functionality. Evaluation will be examined with respect to functioning, suitability for the current environment and application to real use cases. We will also consider the perspectives of different regulators, for example banking regulators and regulators involved in data protection.